dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.

dn_indicates_v3_cert() does this:

  len = ASN1_STRING_to_UTF8(&s, str);
  if (len < 0) {
    return 0;
  }
  r = fast_memneq(s + len - 4, ".net", 4);

Note that if the len < 4, we read bytes from a malloc header, which isn't a good thing at all.

In practice, I don't think this should cause crashes or security failures, unless somebody is using a very weird malloc, or unless somebody has a hardened installation that detects this kind of invalid check.

Still, this is a must-fix.